ALAS2023-2026-1921


Amazon Linux 2023 Security Advisory: ALAS2023-2026-1921
Advisory Released Date: 2026-07-07
Advisory Updated Date: 2026-07-07
Severity: Important

Issue Overview:

When undici parses a Set-Cookie header, it accepts any SameSite attribute value that contains Strict, Lax, or None as a substring, rather than the case-insensitive exact match specified by RFC 6265. Non-spec values are silently mapped to one of the three standard tokens:

SameSite=NoneOfYourBusiness is parsed as None, the most permissive setting.
SameSite=StrictLax is parsed as Lax, a downgrade from Strict.
Affected applications are those that consume Set-Cookie headers from server responses (for example via undici's fetch or proxy code paths) and then forward or rely on the parsed sameSite attribute. A malicious or non-compliant server can coerce the consumer's view of a cookie's SameSite policy to a weaker value, silently degrading the SameSite enforcement the cookie is supposed to provide.

This was introduced in undici 5.15.0 when the cookies feature was added. (CVE-2026-11525)

SQLite before 3.53.2 contains memory corruption vulnerabilities in the FTS5 full-text search extension that allow attackers to cause process crashes, memory exhaustion, or arbitrary code execution by supplying a crafted database with malformed FTS5 page data. Attackers can trigger an out-of-bounds read in fts5LeafSeek() via an attacker-controlled loop bound and a heap buffer overflow write in fts5ChunkIterate() through a crafted continuation page causing an integer underflow, exploitable when an FTS5 MATCH query is executed against the malicious database. (CVE-2026-11822)

SQLite before 3.53.2 contains a heap-based buffer overflow vulnerability in the FTS5 full-text search extension that allows attackers to cause a crash or execute arbitrary code by supplying a crafted database with malicious continuation page metadata specifying a szLeaf value smaller than 4. Attackers can trigger an integer underflow in fts5ChunkIterate() causing an inflated remaining byte count during FTS5 MATCH query processing, leading to a heap buffer overflow of attacker-controlled data in applications compiled with SQLITE_ENABLE_FTS5. (CVE-2026-11824)

The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSocket server can stream many small or empty continuation frames that each pass per-frame and cumulative-size validation, collectively causing unbounded memory growth in the client process. The result is memory exhaustion and a denial of service.

Affected applications are those using the undici WebSocket client (new WebSocket(...)) or the WebSocketStream API that can be induced to connect to an attacker-controlled or compromised WebSocket endpoint.

All releases starting at undici 6.17.0 are affected. (CVE-2026-12151)

A flaw in Node.js proxy tunnel error handling could expose proxy credentials in ERR_PROXY_TUNNEL error messages.

When proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers.

This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26. (CVE-2026-48615)

A flaw in Node.js Permission Model enforcement allows Bypass via `process.report.writeReport()` Path Misvalidation. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. (CVE-2026-48617)

A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat.

This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations.

This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26. (CVE-2026-48618)

A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client.

This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26. (CVE-2026-48619)

A inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups.

This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26. (CVE-2026-48928)

A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings.

This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26. (CVE-2026-48930)

A flaw in Node.js HTTP Agent can cause a client to accept as valid a response that is send before the client has sent the request.

This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26. (CVE-2026-48931)

A flaw in Node.js WebCrypto implementation can crash the process if the input of subtle.encrypt() is a multiple of 2GiB.

This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26. (CVE-2026-48933)

A flaw in Node.js TLS host verification can cause an attacker to bypass certification validation.

This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26. (CVE-2026-48934)

A flaw in Node.js Permission API can cause a file metadata to be modified even on a path that was set as read-only with e.g. --allow-fs-read.

This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26. (CVE-2026-48935)

A flaw in Node.js HTTP/2 server API can cause servers to keep accepting data even after sending a `GOAWAY` frame. This vulnerability affects two supported release lines: **Node.js 22** and **Node.js 24**. (CVE-2026-48937)

Undici's HTTP/1.1 client is vulnerable to response queue poisoning on reused keep-alive sockets. An attacker-controlled upstream server can inject an unsolicited HTTP/1.1 response onto an idle socket after a request completes. When the client dispatches the next request on that socket, it associates the injected response with the new request, causing responses to be delivered to the wrong requests.

This requires an attacker-controlled or compromised upstream HTTP/1.1 server and keep-alive connection reuse. (CVE-2026-6733)

undici's cookie parser in parseSetCookie percent-decodes cookie values via qsUnescape, turning encoded sequences like %0D%0A, %00, %3B, and %3D into their literal byte equivalents. RFC 6265 SS5.4 does not specify any decoding and browsers do not decode either.

Applications that parse a Set-Cookie header and then forward the parsed value into a response header (proxies, middleware, SSR frameworks) become vulnerable to HTTP response header injection: an attacker-controlled upstream can inject arbitrary Set-Cookie, Location, or Cache-Control headers into the application's downstream response, enabling session fixation, open redirect, or cache poisoning.

Affected applications are those that use undici's cookie parsing (parseSetCookie, parseCookie, getSetCookies) and forward the parsed cookie value into a response header.

This was introduced in undici 7.0.0 (CVE-2026-9679)


Affected Packages:

nodejs22


Issue Correction:
Run dnf update nodejs22 --releasever 2023.12.20260706 or dnf update --advisory ALAS2023-2026-1921 --releasever 2023.12.20260706 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:
aarch64:
    nodejs22-debuginfo-22.23.1-1.amzn2023.0.1.aarch64
    nodejs22-full-i18n-22.23.1-1.amzn2023.0.1.aarch64
    nodejs22-libs-debuginfo-22.23.1-1.amzn2023.0.1.aarch64
    v8-12.4-devel-12.4.254.21-1.22.23.1.1.amzn2023.0.1.aarch64
    nodejs22-22.23.1-1.amzn2023.0.1.aarch64
    nodejs22-devel-22.23.1-1.amzn2023.0.1.aarch64
    nodejs22-libs-22.23.1-1.amzn2023.0.1.aarch64
    nodejs22-npm-10.9.8-1.22.23.1.1.amzn2023.0.1.aarch64
    nodejs22-debugsource-22.23.1-1.amzn2023.0.1.aarch64

noarch:
    nodejs22-docs-22.23.1-1.amzn2023.0.1.noarch

src:
    nodejs22-22.23.1-1.amzn2023.0.1.src

x86_64:
    nodejs22-libs-debuginfo-22.23.1-1.amzn2023.0.1.x86_64
    nodejs22-full-i18n-22.23.1-1.amzn2023.0.1.x86_64
    nodejs22-devel-22.23.1-1.amzn2023.0.1.x86_64
    nodejs22-debuginfo-22.23.1-1.amzn2023.0.1.x86_64
    nodejs22-libs-22.23.1-1.amzn2023.0.1.x86_64
    v8-12.4-devel-12.4.254.21-1.22.23.1.1.amzn2023.0.1.x86_64
    nodejs22-22.23.1-1.amzn2023.0.1.x86_64
    nodejs22-npm-10.9.8-1.22.23.1.1.amzn2023.0.1.x86_64
    nodejs22-debugsource-22.23.1-1.amzn2023.0.1.x86_64